Audit finds new evidence of cyber security failings within government
- 29 June, 2018 06:30
Scrutiny by the Australian National Audit Office (ANAO) has revealed that the National Archives and Geoscience Australia are yet to implement key cyber security mitigation strategies mandated by government policy.
The ANAO yesterday released the results its fourth audit of government entities’ cyber resilience.
The agency examined security controls at the National Archives, Geoscience Australia and the Treasury — revealing that of the three, only the Treasury had implemented all of the Australian Signals Directorate’s mandatory ‘Top 4’ mitigation strategies.
The Top 4 comprise application whitelisting, application patching, OS patching, and the restriction of administration privileges based on user duties.
Implementation of the four strategies has — in theory at least — been mandatory since an April 2013 update to the government’s Protective Security Policy Framework. The PSPF set a target compliance date of mid-2014.
The four are a subset of the ASD’s ‘Essential Eight’ — which also includes implementing restrictions on Microsoft Office macros, user application hardening, daily backups and implementing multi-factor authentication.
“National Archives was not compliant with the Top Four mitigation strategies but had sound ICT general controls and so was assessed as not cyber resilient but internally resilient,” the ANAO found.
“Geoscience Australia was not compliant with the Top Four mitigation strategies and did not have sound ICT general controls so was assessed as vulnerable to cyber attacks.”
The ANAO concluded that the National Archives is yet to implement application whitelisting or OS patching. Geoscience Australia was not compliant with any of the four strategies.
Each of the trio of government entities had implemented only one of the four non-mandatory strategies from the Essential Eight — daily backups of important data.
A parliamentary committee last year recommended that implementation of all of the the Essential Eight be made mandatory.
In previous years, ANAO audits have found a lack of cyber resilience at a range of federal departments and agencies, including the Australian Federal Police, the Australian Taxation Office, the Department of Human Services and the Department of Immigration and Border Protection (which is now integrated into the Department of Home Affairs).
The release of the audit comes on the heels of a Senate inquiry report that slammed the government’s record when it comes to delivering major ICT projects.